You mention on your documentation that a "fetch" hook can be used to deny access to a collection, but a COUNT request can still get information about the collection even if access is denied, can't it?

I am restricting access to the collection using business logic, but COUNT does not get filtered through the fetch hook. Isn't this a big security risk? How am I supposed to restrict access correctly using business logic?

Hey. `Fetch` is another name for a `Get` HTTP request. The `Count` operation is technically an `aggregate`, and does not use the same pipeline as a GetEntity or Get request from the java/android libraries.



I would recommend using access control lists `_acl`, which is a provided GenericJson class you can add to your entities. Take a look at Caroline's post here to get some more info on how to set them up: https://support.kinvey.com/discussion/comment/201904552

Hi James, I think this relates back to another [thread](https://support.kinvey.com/discussion/201272251/how-do-i-offer-access-of-a-private-collection-to-another-user "thread"). I'll copy paste the answer here, too.



If you use ACL's instead of restricting through BL, then _count would respect that. The best way to do that is via the REST API. I put up a post about usergroups and permissions here, which may help: https://support.kinvey.com/discussion/comment/201904552